MD5 TO SHA1

[OMRetros]

How can I convert password in core from MD5 to SHA1? I got a new cms that is in md5 but my user accounts are in SHA1. Help would be appreciated.

New CMS (MD5/BCRYPT):

class User
    {
        public static function checkUser($password, $passwordDb, $username)
        {
            if (substr($passwordDb, 0, 1) == "$")
            {
                if (password_verify($password, $passwordDb))
                {
                    return true;
                }
                return false;
            }
            else
            {
                if (md5($password) == $passwordDb)
                {
                    $updateUserHash = DB::Query("UPDATE users SET password = '".self::hashed($password)."' WHERE username = '".filter(DB::Escape($username))."'");       
                    return true;
                }
                return false;
            }
        }
        public static function hashed($password)
        {   
            return password_hash($password, PASSWORD_BCRYPT);
        }
        public static function validName($username)
        {
            if(strlen($username) <= 12 && strlen($username) >= 3 && ctype_alnum($username))
            {
                return true;
            }
            return false;
        }

OLD CMS - SHA1:

function ValidateUser($username, $password)
    {
        return mysql_num_rows(dbquery("SELECT null FROM users WHERE username = '" . $username . "' AND password = '" . $password. "' LIMIT 1"));
    }
    
    function UserHash($password, $username)
    {
        return sha1(md5($password) . strtolower($username));
    }
    
    function HasNewCrypto($username)
    {
        if(mysql_result(mysql_query("SELECT newcrypto FROM users WHERE username = '" . $username . "'"), 0) == "0")
        {
            return true;
        }
        return false;
    }
    
    function CryptoValidate($username, $password)
    {
        return mysql_num_rows(dbquery("SELECT null FROM users WHERE username = '" . $username . "' AND password = '" . $password. "' LIMIT 1"));
    }

My objective is to have the new CMS working with my old accounts securely. I do not want to be hacked and I heard md5 is not secure. Thank you!

 

[JynX]

Just change the way passwords are made/changed in the classes from md5 to what your database is at, which you said was SHA1, and change the way they are read for login and you should be good.

 

[OMRetros]

Just change the way passwords are made/changed in the classes from md5 to what your database is at, which you said was SHA1, and change the way they are read for login and you should be good.

I tried but Im unsure how. I tried changing the md5 to SHA1 but it still doesn't work.

 

[JynX]

Well your old cms is using SHA1 and MD5 as seen in a piece of the code: return sha1(md5($password)
On your new CMS change the stuff that is like this: if (md5($password) == $passwordDb) to something like this:
if (sha1(md5($password)) == $passwordDb)

 

[OMRetros]

Well your old cms is using SHA1 and MD5 as seen in a piece of the code: return sha1(md5($password)
On your new CMS change the stuff that is like this: if (md5($password) == $passwordDb) to something like this:
if (sha1(md5($password)) == $passwordDb)

No luck bro I tried changing.
Anything that maybe needs changing here?

{
                    $updateUserHash = DB::Query("UPDATE users SET password = '".self::hashed($password)."' WHERE username = '".filter(DB::Escape($username))."'");       
                    return true;
                }
                return false;
            }
        }
        public static function hashed($password)
        {   
            return password_hash($password, PASSWORD_BCRYPT);

public static function login()
        {
            global $config,$lang;
            if (isset($_POST['login']))
            {
                if ($_POST['hiddenField_login'] == hiddenField())
                {
                    if (!empty($_POST['username']))
                    {
                        if (!empty($_POST['password']))
                        {

 

[JynX]

return password_hash($password, PASSWORD_BCRYPT);
Can't have bcrypt

 

[OMRetros]

return password_hash($password, PASSWORD_BCRYPT);
Can't have bcrypt

So just remove that or change it to something else?
Removed BCRYPT still doesn't work sadly.

 

[JynX]

OMRetros, do you have teamviewer so I can explain it more in detail?

 

[OMRetros]

OMRetros, do you have teamviewer so I can explain it more in detail?

Yeah you got like skype or ill pm you.

 

[MayoMayn]

Hey man, what you should consider doing instead, would be using their password functions: password_verify() and password_hash(). And well, consider cleaning the shit up, because there's a lot of unneeded coding inside there. Aswell as all CMS contain deprecated mysql_. mysqli a must, bit pdo is the shit. It's also easy to fraud and fake a user through sessioning. When the user gets logged in, it sets sessions from the users table in db, BUT there's none sort of authentication key, like match against password. It's so dann unbreachable.

Sent from my SM-G928F using Tapatalk

 

[MayoMayn]

So just remove that or change it to something else?
Removed BCRYPT still doesn't work sadly.

Use PASSWORD_DEFAULT instead of BCRYPT

Sent from my SM-G928F using Tapatalk

 

[OMRetros]

Use PASSWORD_DEFAULT instead of BCRYPT

Sent from my SM-G928F using Tapatalk

I tried everything man it just doesn't want to work.

 

[MayoMayn]

I tried everything man it just doesn't want to work.

Sorry man, but you should find a new CMS, whoever made that, is a bunch of noobs who doesn't care about xss or sqli's. For the record, I would recommend using PDO. I can paste some code ina few minutes on how mine works.
 

Well your old cms is using SHA1 and MD5 as seen in a piece of the code: return sha1(md5($password)
On your new CMS change the stuff that is like this: if (md5($password) == $passwordDb) to something like this:
if (sha1(md5($password)) == $passwordDb)

Totally wrong. Hashing passwords with sha1 that's already hashed with md5 is stupid lmao.
 
Here's how I have done it in my CMS:
For hashing the password's when users register, I've done something similar to yours:

final public function hashed($password) {
        return password_hash($password, PASSWORD_DEFAULT);
    }

And for validation passwords when user logs in, I've done this:

final public function passValidation($username, $password) {    
        global $db, $core;
        $conn = $db->PDO();
        try {
            $stmt = $conn->pdo->prepare('SELECT `password` FROM `users` WHERE `username` = :u LIMIT 1');
            $stmt->bindParam(':u', $username, $db->PARAM_STR);
            $stmt->execute();
            if(password_verify($password, $stmt->fetchColumn())) {
                return true;
            }
            return false;
        } catch(PDOException $e) {
            die($e->getMessage());
        }
        $conn = null;
    }

Oops, please bear in mind, that I'm using class-oriented PDO, and not mysql or mysqli.
Just use:

if(password_verify($password, $stmt->fetchColumn())) {
      return true;
}

and switch out

$stmt->fetchColumn()

with whatever users stored password in db is.

Anyway I'm just wondering, if I am really the only one with a hotel, which is not a complete shitload of deprecated coding?
 
Anyway, if you want to convert md5 into sha1, devbest is probably not the best way to ask a question. A simple Google search gave you the answer:

You must be registered for see links

 

[OMRetros]

Sorry man, but you should find a new CMS, whoever made that, is a bunch of noobs who doesn't care about xss or sqli's. For the record, I would recommend using PDO. I can paste some code ina few minutes on how mine works.
 

Totally wrong. Hashing passwords with sha1 that's already hashed with md5 is stupid lmao.
 
Here's how I have done it in my CMS:
For hashing the password's when users register, I've done something similar to yours:

final public function hashed($password) {
        return password_hash($password, PASSWORD_DEFAULT);
    }

And for validation passwords when user logs in, I've done this:

final public function passValidation($username, $password) {   
        global $db, $core;
        $conn = $db->PDO();
        try {
            $stmt = $conn->pdo->prepare('SELECT `password` FROM `users` WHERE `username` = :u LIMIT 1');
            $stmt->bindParam(':u', $username, $db->PARAM_STR);
            $stmt->execute();
            if(password_verify($password, $stmt->fetchColumn())) {
                return true;
            }
            return false;
        } catch(PDOException $e) {
            die($e->getMessage());
        }
        $conn = null;
    }

Oops, please bear in mind, that I'm using class-oriented PDO, and not mysql or mysqli.
Just use:

if(password_verify($password, $stmt->fetchColumn())) {
      return true;
}

and switch out

$stmt->fetchColumn()

with whatever users stored password in db is.

Anyway I'm just wondering, if I am really the only one with a hotel, which is not a complete shitload of deprecated coding?
 
Anyway, if you want to convert md5 into sha1, devbest is probably not the best way to ask a question. A simple Google search gave you the answer:

You must be registered for see links

Pretty much man some people do not know how to code including myself sadly hence why some hotels aren't the best. I just do not have the time or willingness to learn. I appreciate you assisting me, however I think I'll just stick with my current cms.

 

[MayoMayn]

Pretty much man some people do not know how to code including myself sadly hence why some hotels aren't the best. I just do not have the time or willingness to learn. I appreciate you assisting me, however I think I'll just stick with my current cms.

Sure man, just pm me if you got any questions.